New Years Resolution: Start blogging again.
Here goes nothing…

It all started with this great blog post I saw on the front page of Hacker News. Its about exploiting and responsibly disclosing a XSS bug to both Dropbox and Facebook. Its a quick read, so check it out.

I thought to myself… hmm maybe this same attack vector can be exploited in a similar service.

I tried a similar attack with Google Drive. It didn’t look promising. Ok.. lets try box.net First, I tried to create a file with the name '"><img src=x onerror=alert(document.cookie)>.jpeg in their web interface. Their response was:

So my next option was to upload a file from my local drive and sure enough, when I uploaded my file '"><img src=x onerror=alert(document.cookie)>.jpeg I was alerted with my cookie!

This might not be the most useful XSS vector for an attacker but it was good enough.

I responsibly disclosed the XSS vulnerability and they gave me some free storage!

Hello World!

This is the first blog post.